b' FEDERAL INFORMATION SECURITY\n    MANAGEMENT ACT REPORT\n\n\nFiscal Year 2008 Evaluation of the Social Security\n      Administration\'s Compliance with the\n Federal Information Security Management Act\n\n\n\n\n            September 2008       A-14-08-18063\n\n\n        Patrick P. O\xe2\x80\x99Carroll, Jr. \xe2\x80\x93 Inspector General\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                                SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      September 19, 2008                                                            Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Fiscal Year 2008 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\n           Federal Information Security Management Act (A-14-08-18063)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration\xe2\x80\x99s (SSA)\n           overall security program and practices complied with the requirements of the Federal\n           Information Security Management Act of 2002 (FISMA) for Fiscal Year (FY) 2008. 1\n\n           BACKGROUND\n           FISMA provides the framework for securing the Government\xe2\x80\x99s information and\n           information technology (IT). All agencies must implement the requirements of FISMA\n           and report annually to the Office of Management and Budget (OMB) and Congress on\n           the effectiveness of their security programs. FISMA requires that each agency develop,\n           document and implement an agencywide information security program. 2\n\n           OMB uses information reported pursuant to FISMA to evaluate agency-specific and\n           Government-wide security performance, develop the annual security report to\n           Congress, and assist in improving and maintaining adequate agency security\n           performance. OMB issued FY 2008 FISMA guidance on July 14, 2008. 3\n\n           SCOPE AND METHODOLOGY\n\n           FISMA directs each agency\xe2\x80\x99s Office of Inspector General (OIG) to perform an annual,\n           independent evaluation of the effectiveness of the agency\xe2\x80\x99s information security\n           program and practices. 4 We contracted with PricewaterhouseCoopers, LLP (PwC) to\n\n\n           1\n               Pub. L. No. 107-347, Title III, Section 301 et seq., 44 U.S.C. \xc2\xa7 3541 et seq.\n           2\n               Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (b), 44 U.S.C. \xc2\xa7 3544 (b).\n           3\n            OMB Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal Information Security\n           Management Act and Agency Privacy Management, July 14, 2008.\n           4\n               Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3545 (b), 44 U.S.C. \xc2\xa7 3545 (b).\n\x0cPage 2 - The Commissioner\n\naudit SSA\xe2\x80\x99s FY 2008 financial statements. 5 Because of the extensive internal control\nsystem review that is completed as part of that audit, the OIG FISMA requirements were\nincorporated into the PwC financial statement audit contract. This evaluation included\nreviews of SSA\xe2\x80\x99s mission-critical sensitive systems, as described in the Government\nAccountability Office\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM).\nPwC used FISMA, OMB guidance, 6 National Institute of Standards and Technology\n(NIST) guidance, FISCAM, and other relevant security laws and regulations as a\nframework to complete the required OIG review of SSA\xe2\x80\x99s information security program\nand its sensitive systems. In June 2008, the President\xe2\x80\x99s Council on Integrity and\nEfficiency (PCIE) issued a white paper7 related to the protection of Personally\nIdentifiable Information (PII), OIG access to records, and key escrow management. In\nAugust 2008, we informed SSA that we would include an assessment of these issues in\nour FISMA work since they are intrinsically related to FISMA requirements. See\nAppendix D for more details on the Scope and Methodology.\n\nSUMMARY OF RESULTS\nBased on the results of OIG\xe2\x80\x99s and PwC\xe2\x80\x99s audit work, we determined that SSA\nsubstantially met the FISMA requirements for FY 2008. SSA continues to work towards\nmaintaining a secure environment for its information and systems and has made\nimprovements since FY 2007 to strengthen its compliance with FISMA. For example,\nSSA continues to have sound remediation, certification and accreditation (C&A), and\ninventory processes. In FY 2008, SSA completed an inventory of its 20 major systems\nand over 300 subsystems. Our review found the FY 2008 inventory was accurate and\ncomplete.\n\nSSA also maintained C&A for all 20 major systems and conducted re-certifications of\n4 major systems using NIST Special Publication (SP) 800-37 guidance. 8 Over the past\n3 years, we have reviewed all 20 C&As for the major systems, and they were\nsubstantially compliant with NIST SP 800-37. We reviewed SSA\xe2\x80\x99s Plans of Action and\nMilestones (POA&M) process, inventory process and overall security program. See\nAppendix E for the complete list of major systems and applications that have been\ncertified and accredited.\n\n\n\n\n5\n OIG Contract Number GS-23F-0165N, March 16, 2001. FY 2008 option was exercised on\nNovember 26, 2007.\n6\n    See footnote 3.\n7\n PCIE Information Technology Investigations Sub-Committee Report, Key Escrow Management and File\nEncryption Challenges for the Federal Inspector General Community, June 2008.\n8\n NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems,\nMay 2004.\n\x0cPage 3 - The Commissioner\n\nEven though we noted several areas that would enhance security of SSA\xe2\x80\x99s systems and\nsensitive information, these issues do not rise to the level of non-compliance with\nFISMA requirements either collectively or individually. SSA should ensure\n\n\xe2\x80\xa2     adequate protection of PII;\n\xe2\x80\xa2     the C&A process and the systems inventory are robust and complete to support a\n      sound information security program;\n\xe2\x80\xa2     the POA&M process appropriately maintains and monitors the remediation of\n      deficiencies;\n\xe2\x80\xa2     implementation of effective system access controls; and\n\xe2\x80\xa2     all employees and contractors receive security awareness and specialized training.\n\nDuring our FISMA review, nothing came to our attention that warranted further action\nrelated to the PCIE\xe2\x80\x99s recommendations at this time.\n\nSSA\xe2\x80\x99S EFFORTS TO PROTECT PII\n\nOver the past several years, OMB has issued guidances on safeguarding PII and has\nincluded specific reporting requirements in the annual FISMA guidances. The current\nFISMA guidance 9 requires that agencies include the following items in an appendix to\ntheir annual FISMA report:\n\n\xe2\x80\xa2     a breach notification policy;\n\xe2\x80\xa2     an implementation plan and progress to eliminate unnecessary use of Social\n      Security numbers (SSN);\n\xe2\x80\xa2     an implementation plan and progress update on review and reduction of holdings of\n      PII; and\n\xe2\x80\xa2     a policy outlining rules of behavior and identifying consequences and corrective\n      actions available for failure to follow these rules.\n\nSSA has included these four PII-related items in its FY 2008 FISMA submission. SSA\nhas created a website for employees that explains responsibilities, polices and\nprocedures for protecting PII. The website contains Policy and Procedures for All SSA\nEmployees for Reporting the Loss or Suspected Loss of Personally Identifiable\nInformation. In addition to training for employees, SSA is working to eliminate\nunnecessary use of the SSN and reduce holdings of PII. The Agency has a policy\noutlining rules of behavior 10 but needs to improve Agency-wide procedures to ensure\nbetter identification of violations and consistent actions taken against the violators.\n\n\n\n9\n    OMB M-08-21, supra at cover page.\n10\n  Information Systems Security Handbook (ISSH), Rules of Behavior for Users and Managers of SSA\'s\nAutomated Information Resources, March 23, 2001.\n\x0cPage 4 - The Commissioner\n\nStronger procedures will likely result in more consistent and appropriate handling of\nviolations and improve the effectiveness of the rules of behavior as a deterrent for\ninappropriate activity.\n\nThe Agency has also established a PII Executive Steering Committee (ESC), which\nprovides oversight and recommendations on SSA policy, and the PII Breach Response\nGroup whose role is to engage in Agency planning in the event of a breach. While the\nOIG has been included as a member in the PII Breach Response Group, it has not been\ninvited to fully participate in critical meetings. Similarly, OIG has not been included in\nthe PII ESC, as recommended by OMB. 11 By allowing the OIG to participate to the\nfullest extent feasible in these groups, SSA will be better able to respond to data losses.\n\nWhile SSA has taken numerous steps to protect PII, OIG audit work completed during\nFY 2008 identified areas that could be improved. When developing its plan to reduce\nunnecessary use of SSNs, SSA should consider a cross-section of potential SSN uses.\nFor example, SSA should consider information currently sent to disability determination\nservices (DDS) contractors providing services to beneficiaries and ensure contractors\nare only receiving information they need to know. Additionally, one of our audit reports\nfound that SSA\xe2\x80\x99s publication of the Death Master File (DMF) has resulted in the breach\nof PII. Each year SSA adds 2.5 million death records in the DMF that SSA publishes to\nthe public with 99.59 percent accuracy rate. Our audit was limited to data between\nJanuary 2004 and April 2007 and found over 20,000 living individuals erroneously listed\nas deceased on the DMF and their PII exposed. 12 The OMB requirement for Agencies\nto report PII incidents to U.S. Computer Emergency Readiness Team (US-CERT) was\nissued in July 2006. 13 SSA has begun to notify US-CERT and is conducting a risk\nassessment to determine how to best inform the individuals erroneously listed in the\nDMF. SSA has also implemented different methods and explored ways to reduce the\nerror cases. SSA should continue to ensure that these types of situations are\naddressed in its plan to reduce the unnecessary use of SSNs. As SSA strives to\nsafeguard the PII in its possession, it needs to continue to assess and enhance policies\nand procedures.\n\nSSA\xe2\x80\x99S CERTIFICATION AND ACCREDITATION PROCESS AND SYSTEM\nINVENTORY\n\nSSA conducted C&As for each of the 20 major systems, at least every 3 years, in\naccordance with NIST Special Publication 800-37. We have cumulatively reviewed the\n\n11\n  OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notification,\nSeptember 20, 2006, attachment, page 2 and OMB Memorandum M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information, May 22, 2007, page 1.\n12\n OIG Report, Personally Identifiable Information Made Available to the General Public Via the Death\nMaster File (A-06-08-18042), May 2008.\n13\n   OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006. This\nMemorandum requires agencies to report PII related incidents to US-CERT within 1 hour of the discovery\nof the incident.\n\x0cPage 5 - The Commissioner\n\n20 C&As for the major systems over the past 3 years. SSA\xe2\x80\x99s C&A process is\nsubstantially compliant with FISMA and NIST requirements and standards. However,\nwe did note several areas where SSA could improve its C&A process.\n\nOur review of documentation showed that SSA\xe2\x80\x99s security assessment and evaluation\nmet the NIST security assessment requirements. However, SSA\xe2\x80\x99s assessments were\nlargely based on examinations and interviews. We recommend that SSA increase the\ndepth of testing its security controls. In each of the C&A documentation packages we\nreviewed this year, only limited security controls of the systems were \xe2\x80\x9dtested.\xe2\x80\x9d14 In our\nopinion, additional in-depth testing of its security controls and program would give SSA\nmore assurance of the soundness of its security program, particularly in light of the\nrapid changes in the information security field. For example, SSA\xe2\x80\x99s security control\nassessment did not identify several security weaknesses in its general supporting\nsystem that were identified by PwC\xe2\x80\x99s security testing performed during the FY 2008\nFinancial Statement audit.\n\nSSA could enhance the documentation of risk remediation results and residual risk in its\nC&A packages, as recommended by NIST. 15 We did not find a list of POA&Ms for\nsome of the C&A security findings nor did we find clear documentation of residual risk\nfor the systems reviewed. Based on our discussion with Agency personnel, SSA is\nconsidering improving the documentation of the system\xe2\x80\x99s residual risk and will ensure\nall POA&Ms are properly documented.\n\nDuring our audit, we examined the completeness of SSA\xe2\x80\x99s FY 2008 System Inventory\nby conducting comparison and analysis, reviewing numerous documents and holding\ndiscussions with Agency personnel regarding SSA\xe2\x80\x99s annual System Inventory process.\nWe did note a few subsystems listed in the C&As and other documentation that were\nnot included in SSA\xe2\x80\x99s official inventory for FY 2008. The Agency added these to the\ninventory. We are not aware of any other omissions. As a result, we concluded that\nSSA\xe2\x80\x99s System Inventory includes more than 96 percent of the Agency\xe2\x80\x99s major systems\nand subsystems and were covered by the C&A process. However, SSA should ensure\nconsistency between its C&A documentation and official system inventory.\n\nSSA\xe2\x80\x99S PLAN OF ACTION AND MILESTONES PROCESS\n\nOMB FISMA guidance states that the purpose of a POA&M process is to identify and\ntrack all IT system security weaknesses in one central location. 16 SSA has designated\n14\n   NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems,\nJuly 2008, page 9, defined 3 security control assessment methods: examine, interview and test. The\nexamine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more\nassessment objects. The interview method is the process of conducting discussions with individuals or\ngroups of individuals within an organization to once again, facilitate assessor understanding, achieve\nclarification, or obtain evidence. The test method is to compare actual with expected behavior.\n15\n  NIST SP 800-30, Risk Management Guide for Information Technology Systems, July 2002, page 40,\ndefined Residual Risk as \xe2\x80\x9cThe risk remaining after the implementation of new or enhanced controls is the\nresidual risk.\xe2\x80\x9d\n16\n     OMB M-08-21, supra, question 34 at page 13.\n\x0cPage 6 - The Commissioner\n\nthe Office of the Chief Information Officer (OCIO) as the responsible component. OCIO\nuses the Automated System Security Evaluation and Remediation Tracking (ASSERT)\nsoftware to monitor and report on IT security weaknesses. OCIO also uses ASSERT to\nsupport the POA&M process that tracks identified IT security weaknesses through the\ncorrection or remediation of these weaknesses.\n\nWe found that SSA ASSERT tool was implemented as an Agency-wide tool. However\nthere are areas that need improvements. We tested 20 security weaknesses that\nshould be included in ASSERT to test its completeness. We did not find 4 of the 20\nweaknesses and its POA&M. We also noted the OCIO had experienced difficulties\nreceiving all reports on IT security weaknesses. Increased coordination between OCIO\nand security components would improve the POA&M process.\n\nThe Agency has made progress and continues to improve its policies and procedures to\nensure all IT security weaknesses are appropriately included in the tracking and\nremediation processes. The Agency needs to ensure it complies with and fully\nimplements these policies and procedures.\n\nIMPLEMENTATION OF SYSTEM ACCESS CONTROLS\n\nControlling and limiting access to the Agency\xe2\x80\x99s information systems and resources is\nthe first line of defense in ensuring the confidentiality, integrity, and availability of the\nAgency\xe2\x80\x99s IT resources. Over the years, SSA has worked to establish sufficient access\ncontrols as evidenced by the use of Top Secret software and the System Security\nProfile Project. As a result, in FY 2005, the access control issue was removed as a\nreportable condition from SSA auditors\xe2\x80\x99 financial statement report. However, we noted\ninstances where SSA\xe2\x80\x99s access controls could be strengthened.\n\nFor example, some programmers had excessive access to production data of certain\nSSA systems. SSA should ensure that individuals only have access to the systems that\nare necessary for them to perform their duties. Another area involved access to\nsensitive data held by DDS employees. 17 These are State employees who perform\nservices for SSA and periodically need to access SSA records.\n\nWe found that\n\n\xe2\x80\xa2    some DDS employees were granted unneeded access to SSA\xe2\x80\x99s sensitive data;\n\xe2\x80\xa2    access control software did not suspend access after a period of non-use if the\n     default password had never been changed; and\n\xe2\x80\xa2    access needs for each resource contained in the DDS profiles had not been\n     documented for DDS employees.\n\nOur audit work, in FYs 2007 and 2008, observed a need to strengthen employment\nsuitability checks of SSA contractor personnel. We found that a number of contractor\n\n17\n  OIG report, Access to Social Security Administration Data Provided by Disability Determination\nServices Positional Profiles (A-14-07-17024), September 28, 2007.\n\x0cPage 7 - The Commissioner\n\nstaff did not receive background checks. 18 Therefore, these individuals should not have\nbeen permitted to work at an SSA facility or have physical access to Agency hardware\nor facilities that may contain program or sensitive information. As a result, SSA may be\nexposing its sensitive data to possible compromise. SSA should continue to work to\nstrengthen access controls in both of these areas.\n\nSECURITY AWARENESS AND SPECIALIZED TRAINING FOR EMPLOYEES AND\nCONTRACTOR PERSONNEL\n\nSecurity Awareness and Specialized Security Training for Agency Personnel and\nContractors.\n\nSSA needs to ensure that all Agency personnel and contractors receive security\nawareness training. OMB guidance states that all Agency and contractor personnel\nhave security awareness training each year. 19 Historically, all SSA employees have\nbeen receiving some form of security awareness information and annually signed that\nthey read SSA\xe2\x80\x99s security awareness policies. This year, our testing showed that, while\nmost SSA personnel had received security awareness, SSA could not provide\ndocumentation for all individuals.\n\nSSA requires that all contractor personnel read and sign annual statements that they\ncompleted SSA\xe2\x80\x99s security awareness training. This year, the Agency implemented a\nprocess of centrally maintaining and monitoring the security awareness efforts for its\ncontractors. However, over 20,000 of 22,000 contractors did not receive any security\nawareness training. For example, some of the contractors who did not receive security\nawareness training were individuals assigned to install hardware on SSA\xe2\x80\x99s network. 20\n\nIdentifying Individuals with Significant IT Security Responsibilities\n\nAccording to FISMA, agencies are required to ensure that employees and contractor\npersonnel with significant IT security responsibilities receive security awareness and\nspecialized training. 21 Meeting this requirement involves two steps: identifying\nindividuals who have significant IT security responsibilities and ensuring these people\nreceive specialized training.\n\n\n\n\n18\n  OIG Report, The Social Security Administration\'s Information Technology Maintenance and Local Area\nNetwork Relocation Contract (A-14-07-17022), May 21, 2007; OIG Report, The Social Security\nAdministration\xe2\x80\x99s Consulting Service Contract for the Time Allocation System (A-14-08-18020), August,\n2008; and OIG Report, The Social Security Administration\xe2\x80\x99s Enterprise-wide Network Infrastructure\nContract (A-14-08-18014), September, 2008.\n19\n     OMB M-08-21, supra, question 43 at page 26.\n20\n  OIG Report, The Social Security Administration\xe2\x80\x99s Enterprise-wide Network Infrastructure Contract\n(A-14-08-18014), September, 2008.\n21\n     Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3544 (a)(3)(D), 44 U.S.C. \xc2\xa7 3544 (a)(3)(D).\n\x0cPage 8 - The Commissioner\n\nIn 2007, SSA developed and implemented a clear definition for the employees with\nsignificant IT security responsibilities. 22 Our 2007 review noted numerous employees\nthat seemed to fit the description; however, the Agency did not identify them as having\nsignificant IT responsibilities. This year, we observed a significant improvement in\nSSA\xe2\x80\x99s effort to identify employees and contractors with significant IT responsibilities.\n\nDuring our review of specialized training, we noted one area related to SSA\xe2\x80\x99s physical\nsecurity and overall IT security that the Agency still needs to address. Our testing noted\na small number of employees and contractors who were involved with the\nimplementation of Homeland Security Presidential Directive (HSPD) 12 23 who were not\nidentified by SSA as having significant IT responsibilities24 and therefore did not receive\nany specialized training. SSA needs to ensure appropriate security training is provided\nto Agency and contractor personnel with significant IT security responsibilities. SSA\nhas the ultimate responsibility to ensure those who could impact its systems have\nsufficient security awareness and specialized training.\n\nKEY ESCROW MANAGEMENT AND FILE ENCRYPTION CHALLENGES\n\nIn June 2008, the PCIE issued a white paper 25 to all Inspectors General regarding\nconcerns related to protection of PII, OIG access to records, and key escrow\nmanagement. 26 Recommendations were made to OIGs on how to better secure\nprotection of PII based on OMB requirements. These recommendations addressed the\nfollowing areas.\n\n     1. Diligent protection of sensitive PII and implementation of appropriate information\n        security controls.\n     2. Ensuring OIG access to all (including contractor) records, reports, audits,\n        reviews, documents, papers, recommendations, or other material available to\n        accomplish its programs and operations.\n     3. Prevention of commingling of Federal data at contractors that store SSA data.\n\n22\n   SSA\xe2\x80\x99s ISSH Appendix H states;\xe2\x80\x9d Employees with high levels of access to sensitive data who could\naffect agency-wide operations and/or who perform security, investigative, or auditing activities on a\nfrequent basis. Personnel in these roles have significant access to sensitive information, such as social\nsecurity records, medical records, business confidential documents, and other personally identifiable\ninformation, which needs to be protected against unauthorized access; fraudulent activities; and\ninappropriate disclosure and modification.\xe2\x80\x9d\n23\n  HSPD-12 mandates the development of a common identification standard for Federal employees and\ncontractors.\n24\n  ISSH, Appendix H, Security Training.\n25\n  PCIE Information Technology Investigations Sub-Committee white paper, Key Escrow Management\nand File Encryption Challenges for the Federal Inspector General Community, June 2008.\n\n26\n  Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow\nby a third party so that, under certain circumstances, an authorized third party may gain access to those\nkeys.\n\x0cPage 9 - The Commissioner\n\n   4. Establishment of a key management policy that describes the goals,\n      responsibilities, and overall requirements for the management of cryptographic\n      keying material used to protect private or critical facilities, processes, or\n      information.\n\nWhile these issues are not expressly discussed in OMB\xe2\x80\x99s FY 2008 FISMA guidance,\nthey are closely related to the intent of FISMA and OMB\xe2\x80\x99s emphasis on the protection of\nPII. During our FISMA review, nothing came to our attention that warranted further\naction related to the PCIE\xe2\x80\x99s recommendations at this time. To improve processing in\nthese areas, SSA is expanding policies and procedures for key escrow management,\nfile encryption, and standardized contract language.\n\nCONCLUSIONS AND RECOMMENDATIONS\nDuring our FY 2008 FISMA evaluation, we determined that SSA substantially met the\nrequirements of FISMA. SSA worked cooperatively with the OIG to identify ways to\ncomply with FISMA. SSA continues to operate a myriad of security controls to protect\nits sensitive data, assets, and operations. SSA develops new policies and procedures\nwhen required.\n\nTo continue to strengthen SSA\xe2\x80\x99s overall security program and practices and to ensure\nfuture compliance with FISMA and other information security related laws and\nregulations, we recommend SSA ensure:\n\n   1. Controls to protect PII, including reporting loss of PII, are fully implemented in\n      accordance with OMB guidances.\n\n   2. Sufficient testing of security controls in the C&A process to fully identify system\n      security weaknesses.\n\n   3. All C&As are properly and consistently prepared and include risk remediation\n      results and residual risk documentation.\n\n   4. All systems and subsystems documented in the C&A package are consistent\n      with SSA\xe2\x80\x99s official system inventory.\n\n   5. All IT security weaknesses are timely reported to OCIO and properly recorded\n      and monitored in the POA&M system.\n\n   6. System access controls are fully implemented to meet least privilege criteria for\n      all users of SSA\xe2\x80\x99s systems.\n\n   7. All Agency and contractor personnel receive annual security awareness.\n\x0cPage 10 - The Commissioner\n\n  8. All Agency and contractor personnel with significant IT responsibility receive\n     specialized training.\n\n\n\n\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Office of the Inspector General\xe2\x80\x99s Completion of the Office of\n             Management and Budget\xe2\x80\x99s Questions Concerning the Social Security\n             Administration\xe2\x80\x99s Compliance with the Federal Information Security\n             Management Act\n\nAPPENDIX C \xe2\x80\x93 Background and Current Security Status\n\nAPPENDIX D \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX E \xe2\x80\x93 Systems Certified and Accredited in Fiscal Year 2008\n\nAPPENDIX F \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                Appendix A\n\nAcronyms\nASSERT        Automated System Security Evaluation and Remediation Tracking\nC&A           Certification and Accreditation\nDDS           Disability Determination Services\nDMF           Death Master File\nESC           Executive Steering Committee\nFIPS          Federal Information Processing Standard\nFISCAM        Federal Information System Controls Audit Manual\nFISMA         Federal Information Security Management Act\nFY            Fiscal Year\nHSPD          Homeland Security Presidential Directive\nIT            Information Technology\nISSH          Information Systems Security Handbook\nNIST          National Institute of Standards and Technology\nOCIO          Office of the Chief Information Officer\nOIG           Office of the Inspector General\nOMB           Office of Management and Budget\nPCIE          President\xe2\x80\x99s Council in Integrity and Efficiency\nPIA           Privacy Impact Assessments\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nPOA&M         Plan of Action and Milestones\nPwC           PricewaterhouseCoopers LLP\nSP            Special Publication\nSSA           Social Security Administration\nSSN           Social Security Number\nU.S.C.        United States Code\nUS-CERT       United States Computer Emergency Readiness Team\n\x0c                                                                             Appendix B\nOffice of the Inspector General\xe2\x80\x99s Completion of the Office of\nManagement and Budget Questions Concerning the Social\nSecurity Administration\xe2\x80\x99s Compliance with the Federal Information\nSecurity Management Act\n\n                             Section C Inspector General: Question 1 and 2\n\n\nAgency Name: Social Security Administration                           Submission date: 9/24/07\n\n                                 Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by\nan agency or by a contractor of an agency or other organization on behalf of an agency.\n\nIn the table below, identify the number of agency and contractor information systems, and the number\nreviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not\ncategorized). Extend the worksheet onto subsequent pages if necessary to include all\nComponent/Bureaus.\n\nAgency systems shall include information systems used or operated by an agency. Contractor\nsystems shall include information systems used or operated by a contractor of an agency or other\norganization on behalf of an agency. The total number of systems shall include both agency systems\nand contractor systems.\n\nAgencies are responsible for ensuring the security of information systems used by a contractor of\ntheir agency or other organization on behalf of their agency; therefore, self reporting by contractors\ndoes not meet the requirements of law. Self-reporting by another Federal agency, for example, a\nFederal service provider, may be sufficient. Agencies and service providers have a shared\nresponsibility for FISMA compliance.\n                                            a.                     b.                        c.\n                                    Agency Systems              Contractor            Total Number of\n                                                                Systems            Systems (Agency and\n                                                                                   Contractor systems)\n                     FIPS 199                                                                     Total\nSocial Security       System                   Number                 Number         Total       Number\nAdministration Impact Level Number           Reviewed     Number Reviewed          Number       Reviewed\n                  High                  0             0         0            0           0             0\n                  Moderate              8             8         0            0           8             8\n                  Low                  12            12         0            0          12            12\n                  Not\n                  Categorized           0             0         0            0           0             0\n Agency Totals    Total                20            20         0            0          20            20\n\n\n\n\n                                               B-1\n\x0c2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level\nin the table for Question 1, identify the number and percentage of systems which have: a current\ncertification and accreditation, security controls tested and reviewed within the past year, and a\ncontingency plan tested in accordance with policy.\n\nQuestion 2 : Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n\n                                        a.                      b.                       c.\n                                    Number of          Number of systems       Number of systems for\n                                 systems certified      for which security    which contingency plans\n                                  and accredited       controls have been        have been tested in\n                                                      tested and evaluated     accordance with policy\n                                                         in the past year\n\n\n                    FIPS 199\nSocial Security      System       Total    Percent     Total     Percent of     Total       Percent of\nAdministration    Impact Level   Number    of Total   Number       Total       Number         Total\n                  High                 0        0.0          0          0.0             0           0.0\n                  Moderate             8      40.0           8         40.0             8          40.0\n                  Low                 12      60.0          12         60.0          12            60.0\n                  Not\n                  Categorized          0        0.0          0          0.0             0           0.0\nAgency Totals     Total               20     100.0          20       100.0           20           100.0\n\n\n\n\n                                              B-2\n\x0c   Question 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System\n                                              Inventory\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n          The agency performs oversight and evaluation to ensure information\n          systems used or operated by a contractor of the agency or other\n          organization on behalf of the agency meet the requirements of\n          FISMA, OMB policy and NIST guidelines, national security policy, and\n          agency policy.\n\n          Agencies are responsible for ensuring the security of information systems\n          used by a contractor of their agency or other organization on behalf of their   N/A. SSA does not use\n          agency; therefore, self reporting by contractors does not meet the              any systems that are\n  3.a.    requirements of law. Self-reporting by another Federal agency, for              controlled or managed\n          example, a Federal service provider, may be sufficient. Agencies and            by contractors or other\n          service providers have a shared responsibility for FISMA compliance.            organizations\n\n          Response Categories:\n                - Rarely, for example, approximately 0-50% of the time\n                - Sometimes, for example, approximately 51-70% of the time\n                - Frequently, for example, approximately 71-80% of the time\n                - Mostly, for example, approximately 81-95% of the time\n                 - Almost Always, for example, approximately 96-100% of the time\n          The agency has developed an inventory of major information\n          systems (including major national security systems) operated by or\n          under the control of such agency, including an identification of the\n          interfaces between each such system and all other systems or\n          networks, including those not operated by or under the control of the\n          agency.\n                                                                                          Approximately 96-\n 3.b.\n                                                                                          100% complete\n          Response Categories:\n               - Approximately 0-50% complete\n               - Approximately 51-70% complete\n               - Approximately 71-80% complete\n               - Approximately 81-95% complete\n               - Approximately 96-100% complete\n\n          The OIG generally agrees with the CIO on the number of agency-owned\n  3.c.                                                                                             Yes\n          systems.\n\n\n          The OIG generally agrees with the CIO on the number of information\n 3.d.     systems used or operated by a contractor of the agency or other                          Yes\n          organization on behalf of the agency.\n\n\n  3.e.    The agency inventory is maintained and updated at least annually.                        Yes\n\n          If the Agency IG does not evaluate the Agency\xe2\x80\x99s inventory as 96-100%\n          complete, please list the known missing systems by Component/Bureau,\n          the Unique Project Identifier (UPI) associated with the system as\n  3.f.    presented in your FY 2008 Exhibit 53 (if known), and indicate if the system              N/A\n          is an agency or contractor system.\n\n\n\n\n                                                  B-3\n\x0c     Question 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process\n\nAssess whether the agency has developed, implemented, and is managing an agency-wide plan of\naction and milestones (POA&M) process. Evaluate the degree to which each statement reflects the\nstatus in your agency by choosing from the responses provided. If appropriate or necessary,\ninclude comments in the area provided.\n\nFor each statement in items 4.a. through 4.f., select the response category that best reflects the\nagency\'s status.\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n                     The POA&M is an agency-wide process,\n                     incorporating all known IT security\n                     weaknesses associated with information       - Almost Always, for example,\n       4.a.\n                     systems used or operated by the agency      approximately 96-100% of the time\n                     or by a contractor of the agency or other\n                     organization on behalf of the agency.\n                     When an IT security weakness is\n                     identified, program officials (including\n                                                                  - Almost Always, for example,\n       4.b.          CIOs, if they own or operate a system)\n                                                                 approximately 96-100% of the time\n                     develop, implement, and manage\n                     POA&Ms for their system(s).\n                     Program officials and contractors report\n                     their progress on security weakness          - Mostly, for example,\n       4.c.\n                     remediation to the CIO on a regular basis   approximately 81-95% of the time\n                     (at least quarterly).\n\n                     Agency CIO centrally tracks, maintains,\n                                                                  - Mostly, for example,\n       4.d.          and reviews POA&M activities on at least\n                                                                 approximately 81-95% of the time\n                     a quarterly basis.\n\n                       OIG findings are incorporated into the    - Almost Always, for example,\n       4.e.\n                       POA&M process.                           approximately 96-100% of the time\n                       POA&M process prioritizes IT security\n                       weaknesses to help ensure significant IT\n                                                                 - Almost Always, for example,\n         4.f.          security weaknesses are addressed in a\n                                                                approximately 96-100% of the time\n                       timely manner and receive appropriate\n                       resources\nPOA&M process comments: 4c & 4d. Agency should improve its monitoring process to ensure\nthat all findings are included in the process. SSA needs to ensure that all appropriate issues from\nthe Financial Statement audit and low risk recommendations are accurately tracked.\n\n\n\n\n                                              B-4\n\x0c          Question 5: IG Assessment of the Certification and Accreditation Process\nProvide a qualitative assessment of the agency\'s certification and accreditation process, including\nadherence to existing policy, guidance, and standards. Provide narrative comments as appropriate.\n\nAgencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and\nAccreditation of Federal Information Systems" (May 2004) for certification and accreditation work\ninitiated after May 2004. This includes use of the FIPS 199, "Standards for Security Categorization\nof Federal Information and Information Systems" (February 2004) to determine a system impact\nlevel, as well as associated NIST document used as guidance for completing risk assessments and\nsecurity plans.\n                The IG rates the overall quality of the\n                Agency\'s certification and accreditation\n                process as:\n\n             Response Categories:\n   5.a.                                                           - Good\n                   - Excellent\n                   - Good\n                   - Satisfactory\n                   - Poor\n                   - Failing\n             The IG\'s quality rating included         Security plan                 \xe2\x88\x9a\n             or considered the following\n             aspects of the C&A process:              System impact level           \xe2\x88\x9a\n             (check all that apply)                   System test and evaluation    \xe2\x88\x9a\n                                                      Security control testing      \xe2\x88\x9a\n   5.b.\n                                                      Incident handling             \xe2\x88\x9a\n                                                      Security awareness training   \xe2\x88\x9a\n                                                      Configurations/patching       \xe2\x88\x9a\n                                         Other:\nC&A process comments: SSA should enhance C&A testing to fully identify security weaknesses.\n\n\n\n\n                                                B-5\n\x0c  Question 6-7: IG Assessment of Agency Privacy Program and Privacy Impact Assessment\n                                            (PIA) Process\n        Provide a qualitative assessment of the agency\'s Privacy\n        Impact Assessment (PIA) process, as discussed in Section D\n        Question # 5 (SAOP reporting template), including adherence\n        to existing policy, guidance, and standards.\n\n         Response Categories:\n  6                                                                               Excellent\n          - Excellent\n          - Good\n          - Satisfactory\n          - Poor\n          - Failing\n\nComments:\n\n         Provide a qualitative assessment of the agency\'s progress to date\n         in implementing the provisions of M-07-16, Safeguarding Against\n         and Responding to the Breach of Personally Identifiable\n         Information.\n  7\n         Response Categories:                                                  Excellent\n          - Excellent\n          - Good\n          - Satisfactory\n          - Poor\n          - Failing\n\nComments: While the Agency has made excellent progress to improve its protection of PII, there are\nareas the Agency could improve. For example, the Agency needs to ensure the OIG is an active\nparticipate in workgroups chartered to protect PII.\n\n\n\n\n                             Question 8: Configuration Management\n\n         Is there an agency-wide security configuration policy?\n 8.a.                                                                                 Yes\n         Yes or No.\n Comments: SSA does have agency-wide security configuration policies. However, SSA does not\nhave a procedure in place to monitor compliance with its Oracle configuration policy. Problems with\nOracle configuration were noted during the security testing of FY 2008 Financial Statement Audit.\n\n\n\n\n                                               B-6\n\x0c         Approximate the extent to which applicable systems implement\n         common security configurations, including use of common security\n         configurations available form the National Institute of Standards and\n         Technology\xe2\x80\x99s website at http://checklists.nist.gov.\n                                                                                 Almost Always- for\n 8.b.    Response categories:                                                    example,\n                                                                                 approximately 96-\n         Rarely- for example, approximately 0-50% of the time                    100% of the time\n          - Sometimes- for example, approximately 51-70% of the time\n          - Frequently- for example, approximately 71-80% of the time\n          - Mostly- for example, approximately 81-95% of the time\n          - Almost Always- for example, approximately 96-100% of the time\n\n\n         Indicate which aspects of Federal Desktop Core Configuration\n 8.c.\n         (FDCC) have been implemented as of this report:\n\n         c.1. Agency has adopted and implemented FDCC standard\n                                                                                 Yes\n         configurations and has documented deviations. Yes or No.\n\n         c.2. New Federal Acquisition regulation 2007-004 language, which\n         modified \xe2\x80\x9cPart 39-Acquisition of Information Technology\xe2\x80\x9d, is\n                                                                                 No\n         included in all contracts related to common security settings. Yes or\n         No.\n\n         c.3. All Windows XP and VISTA computing systems have\n                                                                                 Yes\n         implemented the FDCC security settings. Yes or No.\nComments: The Agency has an XP risk model and is monitoring compliance with the risk model.\nThe Agency does not currently have any VISTA systems in production.\n\n\n                                       Questions 9,10, and 11\n\n                                  Question 9: Incident Reporting\nIndicate whether or not the agency follows documented policies and procedures for reporting\nincidents internally, to US-CERT, and to law enforcement. If appropriate or necessary, include\ncomments in the area provided below.\n\n        The agency follows documented policies and procedures for\n 9.a.                                                                                    Yes\n        identifying and reporting incidents internally. Yes or No.\n\n        The agency follows documented policies and procedures for\n 9.b.   external reporting to the US-CERT. Yes or No. (http://www.us-                    Yes\n        cert.gov)\n\n        The agency follows documented policies and procedures for\n 9.c.                                                                                    Yes\n        reporting to law enforcement. Yes or No.\nComments: SSA needs to improve its reporting of incidents. One of our audit reports found that\nSSA\xe2\x80\x99s publication of the Death Master File (DMF) erroneously included living individuals\xe2\x80\x99 PII and\nthereby resulted in the breach of PII. The audit was limited to data between January 2004 and April\n2007 and found over 20,000 living individuals erroneously listed as deceased on the DMF and their\n\n                                                B-7\n\x0cPII exposed. In May 2008, SSA began notifying US-CERT. SSA is performing a risk analysis to\nassess any impact on individuals and is planning to develop a notification policy.\n\n                               Question 10: Security Awareness Training\n\n\nHas the agency ensured security awareness training of all employees, including\ncontractors and those employees with significant IT security responsibilities?\n                                                                                       Frequently- or\nResponse Categories:\n                                                                                       approximately\n - Rarely- or approximately 0-50% of employees\n                                                                                         71-80% of\n - Sometimes- or approximately 51-70% of employees\n                                                                                        employees\n - Frequently- or approximately 71-80% of employees\n - Mostly- or approximately 81-95% of employees\n - Almost Always- or approximately 96-100% of employees\n\nComments: Our review showed that 58,022 SSA employees signed annual statements that they had\nread SSA\xe2\x80\x99s security awareness policies. Additionally, 1,607 contractors received security awareness\ntraining. Therefore, we confirmed that 59,629 out of 83,925 employees and contractors or 71%\nreceived security awareness.\n\n\n          Question 11 Collaborative Web Technologies and Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of collaborative web\ntechnologies and peer-to-peer file sharing in IT security awareness training,                Yes\nethics training, or any other agency-wide training? Yes or No.\n                         Question 12 E-Authentication Risk Assessments\n12.a. Has the agency identified all e-authentication applications and validated\nthat the applications have operationally achieved the required assurance level in\n                                                                                             Yes\naccordance with the NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication\nGuidelines\xe2\x80\x9d? Yes or No.\n                                                   SSA did identify all e-authentication applications.\n                                                   Nothing came to our attention to indicate that the\n12.b. If the response is \xe2\x80\x9cNo\xe2\x80\x9d, then identify the   Agency did not validate all e-authentication\nsystems in which the agency has not                applications. Validation may include a wide-range of\nimplemented the e-authentication guidance          activities such as interviews, desk reviews, and\nand indicate if the agency has a planned date      automated testing. SSA would benefit by using the\nof remediation.                                    highest level of validation testing to ensure the\n                                                   security of its e-authentication application.\n\n\n\n\n                                                   B-8\n\x0c                                                                                    Appendix C\n\nBackground and Current Security Status\nThe Federal Information Security Management Act (FISMA) requires that agencies\ncreate protective environments for their information systems. It does so by creating a\nframework for annual information technology (IT) security reviews; vulnerability\nreporting; and remediation planning, implementation, evaluation, and documentation. 1\nIn Fiscal Year (FY) 2005, the Social Security Administration (SSA) resolved the\nlongstanding internal control reportable condition concerning its protection of\ninformation. 2 SSA continues to work with the Office of the Inspector General and\nPricewaterhouseCoopers LLP to improve security over the protection of information and\nresolve other issues observed during prior FISMA reviews.\n\nThe Office of Management and Budget (OMB) continues to stress the importance of\nprotecting the public\xe2\x80\x99s privacy and Personally Identifiable Information (PII) as emphasized\nby new guidance, such as OMB Memorandum M-07-16, Safeguarding Against and\nResponding to the Breach of Personally Identifiable Information. This new guidance\nmandates agencies increase efforts to reduce the use of PII collected and held. OMB is\nincorporating more privacy and PII protection questions in its annual FISMA guidance.\nOMB Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, July 14, 2008 requires\nagencies to include in their annual FISMA submission the following items:\n\n\xe2\x80\xa2     a breach notification policy;\n\xe2\x80\xa2     an implementation plan and progress update to eliminate unnecessary use of Social\n      Security numbers;\n\xe2\x80\xa2     an implementation plan and progress update on the review and reduction of holdings\n      of PII; and\n\xe2\x80\xa2     a policy outlining rules of behavior and identifying consequences and corrective\n      actions available for failure to follow these rules.\n\nIn addition, OMB Memorandum M-08-21 requires that Inspectors General rate the quality of\nagencies\xe2\x80\x99 Privacy Impact Assessment process and progress on implementing OMB\nMemorandum M-07-16.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, Section 301 et seq,, 44 U.S.C. \xc2\xa7 3541 et seq.\n2\n    SSA\xe2\x80\x99s FY 2005 Performance and Accountability Report, page 163.\n\n\n                                                       C-1\n\x0cThis report informs Congress and the public about the Federal Government\'s security\nperformance, and fulfills OMB\'s requirement under FISMA to submit an annual report to\nCongress. It provides OMB\'s assessment of Government-wide IT security strengths\nand weaknesses and a plan of action to improve performance. The Committee on\nOversight and Government Reform issues an annual Report Card on Computer\nSecurity at Federal Departments and Agencies. SSA has received a score of A+ and A\nover the past 2 years.\n\n\n\n\n                                         C-2\n\x0c                                                                                    Appendix D\n\nScope and Methodology\nThe Federal Information Security Management Act (FISMA) directs each agency\xe2\x80\x99s\nOffice of Inspector General (OIG) to perform, or have an independent external auditor\nperform, an annual independent evaluation of the agency\xe2\x80\x99s information security program\nand practices, as well as a review of an appropriate subset of agency systems. 1 The\nSocial Security Administration\xe2\x80\x99s (SSA) OIG contracted with PricewaterhouseCoopers\nLLP (PwC) to audit SSA\xe2\x80\x99s Fiscal Year (FY) 2008 financial statements. Because of the\nextensive internal control system work that is completed as part of that audit, our FISMA\nreview requirements were incorporated into the PwC financial statement audit contract.\nThis evaluation included Federal Information System Controls Audit Manual (FISCAM)\nlevel reviews of SSA\xe2\x80\x99s mission-critical sensitive systems. PwC performed an \xe2\x80\x9cagreed-\nupon procedures\xe2\x80\x9d engagement using FISMA, the Office of Management and Budget\n(OMB) Memorandum M-08-21, FY 2008 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management, National\nInstitute of Standards and Technology guidance, FISCAM, and other relevant security\nlaws and regulations as a framework to complete the OIG required review of SSA\xe2\x80\x99s\ninformation security program and practices and its sensitive systems. We also\nconsidered the security implications of OMB Memorandum M-07-16.\n\nThe results of our FISMA evaluation are based on the PwC FY 2008 Independent\nAccountants\xe2\x80\x99 Report on Applying Agreed-Upon Procedures report and working papers\nand various audits and evaluations performed by this office. We also reviewed the final\ndraft of SSA\'s FY 2008 Security Program Review as required by the Federal Information\nSecurity Management Act.\n\nOur major focus was an evaluation of SSA\xe2\x80\x99s plan of action and milestones (POA&M)\nprocess, risk models and configuration settings, certifications and accreditations (C&A),\nand systems inventory processes. Our evaluation of SSA\xe2\x80\x99s POA&Ms included an\nanalysis of Automated Security Self-Evaluation and Remediation Tracking system and\nits policies. Our review of the Agency\xe2\x80\x99s C&A process included an analysis of the C&As\nfor each of the 20 major systems. We also reviewed SSA\xe2\x80\x99s updated systems inventory\nand the policy for the update processes. In addition, we considered the impact of\nrelated OIG FY 2008 audits.\n\nWe also reviewed the Agency\xe2\x80\x99s work and status in areas highlighted by a President\xe2\x80\x99s\nCouncil on Integrity and Efficiency report, Key Escrow Management and File Encryption\nChallenges for the Federal Inspector General Community, issued in June 2008. The\nreport addressed concerns related to protection of Personally Identifiable Information\n(PII), OIG access to records, and key escrow management. 2 While these issues are not\n1\n    Pub. L. No. 107-347, Title III, Section 301 (b)(1) \xc2\xa7 3545, 44 U.S.C \xc2\xa7 3545.\n\n2\n Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow\nby a third party so that, under certain circumstances, an authorized third party may gain access to those\nkeys.\n                                                      D-1\n\x0cexpressly discussed in the OMB\xe2\x80\x99s FY 2008 FISMA guidance, they are closely related to\nthe intent of FISMA and OMB\xe2\x80\x99s emphasis on the protection of PII. Therefore, we have\nincluded steps to address these issues in our review.\n\nWe performed field work at SSA facilities nationwide from March to September 2008.\nWe considered the results of other OIG audits performed in FY 2008. We conducted\nthis performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objectives.\n\n\n\n\n                                         D-2\n\x0c                                                                      Appendix E\n\nSystems Certified and Accredited in Fiscal Year 2008\n#                            System                                   Acronym\n                 General Support Systems\n1   Audit Trail System                                         ATS\n2   Comprehensive Integrity Review Process                     CIRP\n\n3   Death Alert, Control and Update System                     DACUS\n\n4   Debt Management System                                     DMS\n\n5   Enterprise Wide Mainframe & Distributed Network            EWAN\n    Telecommunications Services System\n6   FALCON Data Entry System                                   FALCON\n\n7   Human Resources Management Information System              HRMIS\n\n8   Integrated Client Database                                 ICDB\n\n9   Integrated Disability Management System                    IDMS\n\n10 Lenel Security Access System                                LSAS\n\n11 Quality Assurance Systems                                   QA\n\n12 Social Security Online Accounting & Reporting System        SSOARS\n13 Security Unified Measurement System                         SUMS\n\n\n                      Major Applications\n1   Electronic Disability System                               eDib\n2   Earnings Record Maintenance System                         ERMS\n3   Recovery of Overpayments, Accounting and Reporting         ROAR\n    System\n4   Retirement, Survivors & Disability Insurance Accounting    RSDI\n    System\n5   Social Security Number Enumeration and Correction System   SSNECS\n6   Supplemental Security Income Record Maintenance System     SSIRMS\n\n7   Title II System                                            T2\n\x0c                                                                     Appendix F\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Information Technology Audit Division, (410) 965-9702\n\n   Phil Rogofsky, Audit Manager, Information Technology Audit Division,\n   (410) 965-9719\n\nAcknowledgments\n\nIn addition to the persons named above:\n\n   Grace Chi, Auditor in Charge\n\n   Tina Nevels, Auditor\n\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-08-18063.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Science, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Governmental Affairs, U.S.\nSenate\nChairman and Ranking Minority Member, Committee on Commerce, Science and\nTransportation, U.S. Senate\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'